dcrat | bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe
Size

1.3MB
MD5

64b562295d882f60569eec9fb9ee2b53
SHA1

ee3e09995e7ae6902157a158dbad746bdc22ffbf
SHA256

bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1
SHA512

08b9034159079b3e7d8a7dfec55693d75168016ec7d17d1a5f1afb02b8c5ef57716c4a2d914b228718da848876cac72870ca8d0ade8aa543b316a0e13d59df0f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2528	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016009-9.dat	dcrat
behavioral1/memory/2784-13-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1780-71-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2196-166-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2816-226-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2204-286-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/532-702-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe
1556	powershell.exe
1856	powershell.exe
1036	powershell.exe
1528	powershell.exe
1772	powershell.exe
2324	powershell.exe
1696	powershell.exe
1592	powershell.exe
2328	powershell.exe
308	powershell.exe
2184	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2784	DllCommonsvc.exe
1780	conhost.exe
2196	conhost.exe
2816	conhost.exe
2204	conhost.exe
492	conhost.exe
1800	conhost.exe
1692	conhost.exe
2752	conhost.exe
1780	conhost.exe
2680	conhost.exe
532	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	cmd.exe
2516	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\services.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
2848	schtasks.exe
2232	schtasks.exe
1936	schtasks.exe
1148	schtasks.exe
2820	schtasks.exe
1516	schtasks.exe
1048	schtasks.exe
1988	schtasks.exe
952	schtasks.exe
616	schtasks.exe
2280	schtasks.exe
2984	schtasks.exe
1908	schtasks.exe
1032	schtasks.exe
2676	schtasks.exe
1720	schtasks.exe
1916	schtasks.exe
1952	schtasks.exe
3024	schtasks.exe
2200	schtasks.exe
1044	schtasks.exe
3016	schtasks.exe
1736	schtasks.exe
1532	schtasks.exe
1724	schtasks.exe
1632	schtasks.exe
1800	schtasks.exe
2900	schtasks.exe
1580	schtasks.exe
2496	schtasks.exe
2944	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2784	DllCommonsvc.exe
2784	DllCommonsvc.exe
2784	DllCommonsvc.exe
2784	DllCommonsvc.exe
2784	DllCommonsvc.exe
1696	powershell.exe
1772	powershell.exe
1528	powershell.exe
2184	powershell.exe
1592	powershell.exe
2324	powershell.exe
2328	powershell.exe
308	powershell.exe
1036	powershell.exe
1556	powershell.exe
1856	powershell.exe
1680	powershell.exe
1780	conhost.exe
2196	conhost.exe
2816	conhost.exe
2204	conhost.exe
492	conhost.exe
1800	conhost.exe
1692	conhost.exe
2752	conhost.exe
1780	conhost.exe
2680	conhost.exe
532	conhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	DllCommonsvc.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1780	conhost.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2196	conhost.exe
Token: SeDebugPrivilege	2816	conhost.exe
Token: SeDebugPrivilege	2204	conhost.exe
Token: SeDebugPrivilege	492	conhost.exe
Token: SeDebugPrivilege	1800	conhost.exe
Token: SeDebugPrivilege	1692	conhost.exe
Token: SeDebugPrivilege	2752	conhost.exe
Token: SeDebugPrivilege	1780	conhost.exe
Token: SeDebugPrivilege	2680	conhost.exe
Token: SeDebugPrivilege	532	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe	30
PID 2696 wrote to memory of 2516	2696	WScript.exe	31
PID 2696 wrote to memory of 2516	2696	WScript.exe	31
PID 2696 wrote to memory of 2516	2696	WScript.exe	31
PID 2696 wrote to memory of 2516	2696	WScript.exe	31
PID 2516 wrote to memory of 2784	2516	cmd.exe	33
PID 2516 wrote to memory of 2784	2516	cmd.exe	33
PID 2516 wrote to memory of 2784	2516	cmd.exe	33
PID 2516 wrote to memory of 2784	2516	cmd.exe	33
PID 2784 wrote to memory of 2324	2784	DllCommonsvc.exe	68
PID 2784 wrote to memory of 2324	2784	DllCommonsvc.exe	68
PID 2784 wrote to memory of 2324	2784	DllCommonsvc.exe	68
PID 2784 wrote to memory of 1680	2784	DllCommonsvc.exe	69
PID 2784 wrote to memory of 1680	2784	DllCommonsvc.exe	69
PID 2784 wrote to memory of 1680	2784	DllCommonsvc.exe	69
PID 2784 wrote to memory of 1696	2784	DllCommonsvc.exe	71
PID 2784 wrote to memory of 1696	2784	DllCommonsvc.exe	71
PID 2784 wrote to memory of 1696	2784	DllCommonsvc.exe	71
PID 2784 wrote to memory of 1556	2784	DllCommonsvc.exe	72
PID 2784 wrote to memory of 1556	2784	DllCommonsvc.exe	72
PID 2784 wrote to memory of 1556	2784	DllCommonsvc.exe	72
PID 2784 wrote to memory of 1772	2784	DllCommonsvc.exe	73
PID 2784 wrote to memory of 1772	2784	DllCommonsvc.exe	73
PID 2784 wrote to memory of 1772	2784	DllCommonsvc.exe	73
PID 2784 wrote to memory of 1592	2784	DllCommonsvc.exe	75
PID 2784 wrote to memory of 1592	2784	DllCommonsvc.exe	75
PID 2784 wrote to memory of 1592	2784	DllCommonsvc.exe	75
PID 2784 wrote to memory of 1856	2784	DllCommonsvc.exe	76
PID 2784 wrote to memory of 1856	2784	DllCommonsvc.exe	76
PID 2784 wrote to memory of 1856	2784	DllCommonsvc.exe	76
PID 2784 wrote to memory of 2184	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 2184	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 2184	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 308	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 308	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 308	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 2328	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 2328	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 2328	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 1528	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 1528	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 1528	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 1036	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 1036	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 1036	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 1780	2784	DllCommonsvc.exe	92
PID 2784 wrote to memory of 1780	2784	DllCommonsvc.exe	92
PID 2784 wrote to memory of 1780	2784	DllCommonsvc.exe	92
PID 1780 wrote to memory of 1740	1780	conhost.exe	93
PID 1780 wrote to memory of 1740	1780	conhost.exe	93
PID 1780 wrote to memory of 1740	1780	conhost.exe	93
PID 1740 wrote to memory of 2016	1740	cmd.exe	95
PID 1740 wrote to memory of 2016	1740	cmd.exe	95
PID 1740 wrote to memory of 2016	1740	cmd.exe	95
PID 1740 wrote to memory of 2196	1740	cmd.exe	96
PID 1740 wrote to memory of 2196	1740	cmd.exe	96
PID 1740 wrote to memory of 2196	1740	cmd.exe	96
PID 2196 wrote to memory of 2512	2196	conhost.exe	97
PID 2196 wrote to memory of 2512	2196	conhost.exe	97
PID 2196 wrote to memory of 2512	2196	conhost.exe	97
PID 2512 wrote to memory of 2956	2512	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc13441bd2bf25251d8b16ff5fdabb102204eaacec92bf4db8274d7a29e81b1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2016
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2956
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        10⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1692
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        12⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2980
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        14⤵
        
        PID:464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1456
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        16⤵
        
        PID:1412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2308
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        18⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2728
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        20⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2232
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        22⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1680
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        24⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2544
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        26⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ab923508d29045126a9840b0cbc9f3

SHA1
354c567cd012623baa53d5699529c47387b6b215

SHA256
f4288cc6b74027ca3136b5bb9c3edf060ee909503531087960d34a8645a315bd

SHA512
1f0ad3f6f7f07909fd0f380a49310d34805f5ebbf250990a436c9aed7b2617f3a33c739a30e819f8b940a3d66a19e516d8d6714b5944a79a1704b0fc12fdcfbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86059385e025f4a921090c81c3c8bd85

SHA1
a94179043d83a3a385a9a95fc76ef0206f8312df

SHA256
26b7dd9931f9789acbe6b77f5c57bcc5eeca282434b8054cb5bfb049c18be311

SHA512
a32a8f8e23011daf5ca0d0cc2337f6100a0a20c6de044cb00bfe844bc4a155de9918af6de4ebc4a97f5ea4ca704af0bb5befd51fe740eea155560df849396a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
510a71fe4e5ced6abe5843cd8f39580e

SHA1
b93f940423863523052d6f62a418927112e76fad

SHA256
d412d8191ba1672866e4eb1de7e05e6a7e3331abe69873fce83fa9291e0322e4

SHA512
04fb062f641cc202655f28bc9c431442f64b476b7b376c54ab48a8f8d17b571496729e53f24b8608ffe2040849c4076043d61a3bf6e33765b7669441eb0aab72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9a051507e90e6859929787af9a7af91

SHA1
1dffd10d91f6127cb8b1933acc5165b21df87c1a

SHA256
9796fc0c833f720e8ccebcee464670af7aec21808a122a5aabe60943aacbcdad

SHA512
02d10e4e68e509a328383cad4d73f919f3744ce82d52d9db3c67548a111200d192bc516f725f9df9ccd374cc80836f64d653cc22a4f21b33c8735ad80da6a8cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484299fe2321850507d4c3abed3d7cfc

SHA1
6419f6010270d524dde8e0ee51bb92be8e145327

SHA256
8508cb84326df10d1a7205b734fbd5207ca5b25982d1fddc4627b95e2dd724dd

SHA512
e7f727677a1b59209984b46946fc6f6c2436077e01e5f4da89e46a51d78aba1066decdaa1ac73f1cfd120813703f5279772a53c7885205274dba9c417342af11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb1f79c78450078fcc9a4325753ba888

SHA1
15e07c10aadc36d52e3bccb6775dbc086de24fbc

SHA256
d5e7b1fc89bdd6000fbe4461f56cadbd3c3c375b7bb94600fcb157fb665b2de2

SHA512
0c20464f33dd60545120709151425642aa4de40859b5bd0c0016c580117d93a99f8a0222e24ead56352c89942272fb7ec9160c93f481371a37bdb2431261d5b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9de7256677bc113cf04cfe365ac72bd

SHA1
b52ceee00a508eada966039b852c699e43d76ce1

SHA256
d35520317ae99d00cdca6b789d496e595e7403e112539e55ec5de586dbc6b1fd

SHA512
87a3cc30b4bc7ddc3d5a8ffa960469e82c921e66de29e493ff4b9d7d13df34ae57b09e091bd3e3d55fdadb5a5b32ad98077bccf34a76ce6697e112a5bbe1d2d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b02b6454463aaae94bc13b5a9523c7

SHA1
0ca8b4342bde807e5bbfe9e335fcb0bea09e726c

SHA256
0c4349b7729c7ddadf667b3e176c858a27125e424e84b27fec3b865c113f058b

SHA512
9621a70cb72771033e0582aa6845e7de8369f9dd3088302a0c6ddc8bb1455dc24afa3040b654c232f0a940ec5d1de50066706a4b56bf2832026eeea2532c6a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa9d4d15fede0c05a1161d37a8665632

SHA1
730f0b66e6827fa14490eb8ce325d3be5685f0d2

SHA256
9c0e96f452d6665cc4f88f7c4ba6194574998085e1791a5d539724693598b0eb

SHA512
35b0a4a5aa0acc2d87cf2520da01dc8018fdedf597d4ac6189be93ecf66de1eba92cad9090b2e19d4950db06ab3a33f0c1bc486c43526cb68a02026ad84bee10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b87560791ccf9e3e9362e29fa7370a7a

SHA1
b8ebf4bc5aeab662fd5075120cfc5db4bb73937a

SHA256
5621d96f981a74cc25854fe49759e595707647ae4f910f0ba67cf2c1de4fd7cb

SHA512
8fc89f689b7b22ee9bed9cbd620bada775bb257771574958caee08377413d754297d37ec4dfecc696acd559cf83d570425c965deaf52926e4ae42fcd3116f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
225B

MD5
c4fdfb54bc9f35baf1a078c909ab8b4f

SHA1
da0679479a59f8da04421146a73848a5b600c0bc

SHA256
e3478ccb7ac70ef581e9ea67c614a1374825aa1b1c8fa65440cbe2b4a06f2a2a

SHA512
9baaa4d09d389b700bbb2061ce0d1020eff6261491e4d2e59cbaeb7a1f0ad32b3ad129a3e367b3b2e45206ef7ee3a83fe93b739fc1511840bec20d7a141af623

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

Filesize
225B

MD5
1485324507732907320f998706de0179

SHA1
ab57be79803ca30c0473887b5f36ab055889a4da

SHA256
de561bfb9328bcbc77008968a622631823f54ecd687b91ade52d162cf224ba53

SHA512
35d45be92c3d2b30cd39e0a1631fbb3bec170537fa7095dc11f03309c7942fda41e671703feab5f2a56f78418da732ea2b948cbfea39d76518c914ae4f398b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab206E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
225B

MD5
2f8f7802ce7abb1f493bdd94b8e7f5f9

SHA1
b00f9448bf59e16ddf2b3e25494ccbb31ba76745

SHA256
fb350ddced4736f99f12bcdc924e80a2a86924abf4fb2b88bfe25c4d04fd98c3

SHA512
b6c29832e68d314e5112be30c58fe6c22cd3dd4609ba356817ef9f16960b1de3577e728a6274db103d9a2a17b0176fa251eeed5450ddfecc1929e9acdef219cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2071.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
225B

MD5
fd94fb0306a7438df5c53bd18030b639

SHA1
d823faeac45c52781e7661f77871d5620f18a14e

SHA256
50c52bebebddeccc4b3633730bceec9761877bac34f7c30ac79119d2ce16faa1

SHA512
50a00c4d791b32f6f275d72eec1746bea9ce0f8af2119969d27b46850fd07f761c0ab9669731b2c6a6ee1c4b3d14b187334d2c329532d1482dff917b112e102e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
225B

MD5
9c026c72292bebe9529ee7d9df7b1b86

SHA1
05f13e1363548d0ab269ac22c220118d37a536fe

SHA256
41b51fd5b6b5aa3e7acfa7c304d7a14e364defce8e39f121f6b0c78ace7e259d

SHA512
0a2fdf5c093c97252c30e8446dbb36fddc4b9ff0fea8599a313ee2c7440dac00706d890a0267c61284ffa3324b7ab1850066e2e0381119a96f1f818189312fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
225B

MD5
95febd7e0fd18b8d3beffba1ac270aa1

SHA1
eef703ca7cc8edffa3a719153897ee48b492a88a

SHA256
33a4ee9f9c6c94913cb61deb82239aa71e80b58b3eb189316aa4fadd16ccd987

SHA512
e8baffa961d09cf443ee6907758c54e09f8c8bc9e6580c1d376042a46b9c1d5a1b1d3a45b61d4e2794b1d3214a81feaf8137a145387798d92091bbddb89180bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
225B

MD5
29c5817d950e9884d8a00fd1446569bb

SHA1
177fd22eebc90bce283cc30d0187c5c437199365

SHA256
a40dd4051c9cf8adeaeab85ef42892184c51699c5e7b5470135f6f60e1289d63

SHA512
dee6fdf87819855ae075b011aaa7dab5c6ae91f80ba46375e2372e7817af37b15e1915f553004650759febdd0e47f8d3da4a0e0e1f68018019ea8a01e0c42c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
225B

MD5
0727ae107b71651dc48221c07ab7c8ff

SHA1
66d329e1e5db161b072a146b0d5a6bd67f949983

SHA256
0be0fcd1cde2af4006a3e42a4647500d6abb98cdec50b920a7ed66242370467b

SHA512
23bb3950b52fc933a340a7d2e74d9d2f52b0c2cbf551dd2b17eb3142367a6475a82fd4a01c2056a4fd1f3295d8df315067379602b9aeaf7ffc916b8b14993068

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
225B

MD5
5469cb52ed5af5b3325ba42f9896d5bd

SHA1
811c30504b67b5319857cfb5d552ff37f9fa05d7

SHA256
d67dca98a93d25f5ac47eb440a58bd822cb8c6d4b03e4abfe0eb3e959a944146

SHA512
264b34c973e2b8b2878a652e99b32ac7fe3eea12be981ad6e05114b4430ac7c6b4a40bb7369d5a83d6979aa0d72b0d9d5f5c95ff1b4c335bbd20134ce9603487

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
225B

MD5
7af97e6d3d27f5ba46200805f7086aca

SHA1
65a91c87a2bf340fd1f6b54e8d55762dd849f7a2

SHA256
a78d87e85b0329a399aa18bc5d850308335156e3a6e50ce45e78500d16c117a0

SHA512
d76c368fe4a5f0a372233932c70022f0274fd6f27483122b0f990e021d0e808e4ec8f2b3c214645233d1361651335bbda759ded75717ac0c2c8a070a0af053af

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
225B

MD5
320a0137c02b39261e26673dc1115f12

SHA1
92de5047fecf39d165a120b2dcf2b6d1df43035d

SHA256
8f3261636ebedfff4433f26e1652605c627e6c16e4942970414c27dca08080cd

SHA512
ef83a83e7351f4b810d741ed8a73c740a9bfa89fbaa4badcb7bb64ea1b1eb21d18bc5e4ac2a013e20217ab3a5a42effde72039e49a8c7d75840f1c1a14c85550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
398d5811277023f46efe50b2d9f4095a

SHA1
eca78d00c2bd2290dd4acb8b03abef85511bf4e1

SHA256
77800e14d32470d19c703a10ca5193c7e63830dda8e5f735acbe10819b6033c3

SHA512
23681192d6d1b456f6107bab3b178c15867f48d293ca4952bc28aee2402c708d3160271434079ac1b04019f421289e41ce9d8e0ce97c959e066d65daa662fbb4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/532-702-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1528-107-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1772-106-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1780-71-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1780-583-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2196-166-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2204-287-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2204-286-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2784-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2784-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2784-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2784-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2784-13-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2816-226-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download